Skip to content

fix: incomplete fix for cve#10755

Merged
jasonsaayman merged 1 commit intov1.xfrom
fix/ghsa-pmwg-cvhr-8vh7
Apr 18, 2026
Merged

fix: incomplete fix for cve#10755
jasonsaayman merged 1 commit intov1.xfrom
fix/ghsa-pmwg-cvhr-8vh7

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 18, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Fixes incomplete mitigation for GHSA-pmwg-cvhr-8vh7 by correctly detecting all loopback forms in shouldBypassProxy, ensuring NO_PROXY bypass applies to 127/8, ::1 variants, and IPv4-mapped IPv6. This prevents unintended proxying of local addresses and closes bypass gaps.

  • Bug Fixes

    • Implemented robust loopback checks:
      • IPv4: entire 127.0.0.0/8 subnet.
      • IPv6: ::1, 0:0:0:0:0:0:0:1, and IPv4-mapped forms (e.g., ::ffff:127.0.0.1 and ::ffff:7f00:1 range).
    • Treat NO_PROXY loopback entries as cross-equivalent across IPv4/IPv6 forms, with port-aware matching.
    • Replaced broad hostname set with precise parsing to avoid false positives.

  • Notes

    • Docs: Add a note in /docs/ about loopback handling and NO_PROXY equivalence across IPv4/IPv6, including port-specific behavior.
    • Testing: Added unit tests covering 127/8, IPv6 full-form and mapped variants, negative cases, and port matching.
    • Semantic version impact: Patch. Security fix with no API changes.

Written for commit 44c472a. Summary will update on new commits.

@jasonsaayman jasonsaayman self-assigned this Apr 18, 2026
@jasonsaayman jasonsaayman added priority::medium A medium priority commit::fix The PR is related to a bugfix type::security The PR is a secuirty related changed normally from a CVE labels Apr 18, 2026
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@jasonsaayman jasonsaayman merged commit e033f24 into v1.x Apr 18, 2026
37 of 39 checks passed
@jasonsaayman jasonsaayman deleted the fix/ghsa-pmwg-cvhr-8vh7 branch April 18, 2026 15:41
@github-actions github-actions Bot mentioned this pull request Apr 18, 2026
Open
@rtibblesbot rtibblesbot mentioned this pull request May 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::fix The PR is related to a bugfix priority::medium A medium priority type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonsaayman